AUTHENTICATED_USER is not reliable! [Was: [Zope] become user
(su inside Zope) - pretend to be another user]
bkc at murkworks.com
Fri Oct 24 12:58:15 EDT 2003
On 24 Oct 2003 at 10:35, Stefan H. Holek wrote:
> Why is everybody so obsessed with AUTHENTICATED_USER? This variable is not
> suitable for anything deserving the name "security". It is NOT SAFE to
> assume that it will contain anything useful.
Thanks for bringing this up.
I've changed my code. I had thought that AUTHENTICATED_USER was "a special
attribute of REQUEST".
Brad Clements, bkc at murkworks.com (315)268-1000
http://www.murkworks.com (315)268-9812 Fax
http://www.wecanstopspam.org/ AOL-IM: BKClements
More information about the Zope